XP AntiMalware Analysis and Removal

XP AntiMalware belongs to the family of Trojan:Win32/FakeRean infecting users running Windows XP. It is installed by a trojan dropper file which is capable of installing a rogue with any one of the names from its stable, with a matching fake Windows Security Center.

A rogue security software such as XP AntiMalware belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. Users should not fall for the fake alerts and must not buy the scareware. They need to be removed immediately from your system.

When ran the Trojan drops a hidden, system file named ave.exe in the %AppData% folder which in turn drops a hidden, system file named y7V11 in multiple directories including %AppData% and %Temp% folders. You may need to enable viewing hidden folders and protected operating system files in folder options control panel to see them. The scareware modifies the registry so that:

The scareware executes (ave.exe) every time a .exe file is run, an innovative way to autostart with Windows or to restart when killed via TaskManager. It also makes it difficult to install and run security programs.

Makes Internet Explorer as the default browser and promptly hijacks it to display a scare message whenever it is run.

Hijacks Firefox normal mode and Firefox safe mode (no addons), so that the scareware starts whenever Firefox is run and a fake alert is displayed.

Disables Windows Firewall

Disables genuine Windows Security Center notifications

XP AntiMalware Aliases

The trojan dropper is about 204288 bytes in size and is detected by more than 50% of the antivirus engines available at VirusTotal.

This scareware is given the following names by different antivirus software vendors:

Trojan.Win32.FakeAV!IK

W32/FakeSec.B.gen!Eldorado

Win32:MalOb-AL

Trojan.Win32.FraudPack.aovc

Win32/Kryptik.DBC

Mal/EncPk-NP

Mal/FakeAV-BT

Typical XP AntiMalware Scare Messages

System danger! Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working in the background right now. Perform an in-depth-scan and removal now.

Severe system damage! Spyware and viruses detected in the background. Sensitive system components under attack! Data loss, identity theft and system corruption are possible. Act now, click here for a free security scan.

Virus Infection! System security was found to be compromised. Your computer is now infected. Attention, irreversible system changes may occur. private data may get stolen.. click here now for an instant anti-virus scan.

Malware Intrusion! Sensitive areas of your system were found to be under attack. Spy software attack or virus infection possible. Prevent further damage or your private data will get stolen. Run an anti-spyware scan now.

Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.

Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.

XP AntiMalware Scareware — Video

Note: The XP AntiMalware installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.